On Wed, Mar 14, 2018 at 01:37:58PM +0100, Florian Westphal wrote:
> in nftables, 'meter' can be used to instantiate a hash-table at run
> time:
>
> rule add filter forward iif "internal" meter hostacct { ip saddr counter}
> nft list meter ip filter hostacct
> table ip filter {
> meter hostacct {
> type ipv4_addr
> elements = { 192.168.0.1 : counter packets 8 bytes 2672, ..
>
> because elemets get added on the fly, the kernel must chose a set
> backend type that implements the ->update() function, otherwise
> rule insertion fails with EOPNOTSUPP.
>
> Therefore, skip set types that lack ->update, and also
> make sure we do not discard a (bad) candidate when we did yet
> find any candidate at all. This could happen when userspace prefers
> low memory footprint -- the set implementation currently checked might
> not be a fit at all. Make sure we pick it anyway (!bops). In
> case next candidate is a better fix, it will be chosen instead.
>
> But in case nothing else is found we at least have a non-ideal
> match rather than no match at all.
Applied, thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
